Anti-vulnerability system, method, and computer program product

US 10,104,110 B2
Filed: 12/28/2015
Issued: 10/16/2018
Est. Priority Date: 07/01/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A non-transitory computer-readable media storing instructions that, when executed by one or more processors, cause the one or more processors to:

receive first information associated with a plurality of actual vulnerabilities, the first information being based on second information associated with a plurality of potential vulnerabilities;

said first information associated with the plurality of actual vulnerabilities being based on the second information associated with the plurality of potential vulnerabilities, at least in part as a result of a determination that one or more of a plurality of devices is actually vulnerable based on the second information and at least one of an operating system or an application;

based on the first information, display one or more options for selection by at least one user to cause utilization of one or more different occurrence mitigation actions; and

cause utilization of the one or more different occurrence mitigation actions in connection with one or more of the plurality of actual vulnerabilities, the different occurrence mitigation actions including;

a firewall-related occurrence mitigation action that includes sending a firewall update resulting in utilization of a firewall feature for preventing an actual vulnerability addressed by the firewall update from being taken advantage of in response to identification of an occurrence capable of taking advantage of the actual vulnerability addressed by the firewall update, andan intrusion detection or prevention system-related occurrence mitigation action that includes sending an intrusion detection or prevention system update resulting in utilization of an intrusion detection or prevention system feature for preventing an actual vulnerability addressed by the intrusion detection or prevention system update from being taken advantage of in response to identification of an occurrence capable of taking advantage of the actual vulnerability addressed by the intrusion detection or prevention system update;

the display of the one or more options including;

displaying a first option corresponding to the firewall-related occurrence mitigation action utilizing a first user interface element, and displaying a second option corresponding to the intrusion detection or prevention system-related occurrence mitigation action utilizing a second user interface element;

wherein the instructions, when executed by the one or more processors, cause the one or more processors to;

in automatic response to the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the firewall update, prevent the actual vulnerability addressed by the firewall update from being taken advantage of, utilizing the firewall feature; and

in automatic response to the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the intrusion detection or prevention system update, prevent the actual vulnerability addressed by the intrusion detection or prevention system update from being taken advantage of, utilizing the intrusion detection or prevention system feature.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for identifying a first and second occurrence in connection with at least one of the networked device. In use, it is possible that it is determined that the at least one actual vulnerability of the at least one networked device is capable of being taken advantage of by the first occurrence identified in connection with the at least one networked device. Further, it is also possible that it is determined that the at least one actual vulnerability of the at least one networked device is not capable of being taken advantage of by the second occurrence identified in connection with the at least one networked device. To this end, the first occurrence and the second occurrence are reported differently.

957 Citations

17 Claims

1. A non-transitory computer-readable media storing instructions that, when executed by one or more processors, cause the one or more processors to:
- receive first information associated with a plurality of actual vulnerabilities, the first information being based on second information associated with a plurality of potential vulnerabilities;
  
  said first information associated with the plurality of actual vulnerabilities being based on the second information associated with the plurality of potential vulnerabilities, at least in part as a result of a determination that one or more of a plurality of devices is actually vulnerable based on the second information and at least one of an operating system or an application;
  
  based on the first information, display one or more options for selection by at least one user to cause utilization of one or more different occurrence mitigation actions; and
  
  cause utilization of the one or more different occurrence mitigation actions in connection with one or more of the plurality of actual vulnerabilities, the different occurrence mitigation actions including;
  
  a firewall-related occurrence mitigation action that includes sending a firewall update resulting in utilization of a firewall feature for preventing an actual vulnerability addressed by the firewall update from being taken advantage of in response to identification of an occurrence capable of taking advantage of the actual vulnerability addressed by the firewall update, andan intrusion detection or prevention system-related occurrence mitigation action that includes sending an intrusion detection or prevention system update resulting in utilization of an intrusion detection or prevention system feature for preventing an actual vulnerability addressed by the intrusion detection or prevention system update from being taken advantage of in response to identification of an occurrence capable of taking advantage of the actual vulnerability addressed by the intrusion detection or prevention system update;
  
  the display of the one or more options including;
  
  displaying a first option corresponding to the firewall-related occurrence mitigation action utilizing a first user interface element, and displaying a second option corresponding to the intrusion detection or prevention system-related occurrence mitigation action utilizing a second user interface element;
  
  wherein the instructions, when executed by the one or more processors, cause the one or more processors to;
  
  in automatic response to the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the firewall update, prevent the actual vulnerability addressed by the firewall update from being taken advantage of, utilizing the firewall feature; and
  
  in automatic response to the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the intrusion detection or prevention system update, prevent the actual vulnerability addressed by the intrusion detection or prevention system update from being taken advantage of, utilizing the intrusion detection or prevention system feature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The non-transitory computer-readable media of claim 1, wherein the instructions, when executed by the one or more processors, cause the one or more processors to:
    - in response to an identification of at least one occurrence in connection with at least one device, display one or more additional options for selection by the at least one user to selectively utilize one or more additional occurrence mitigation actions in connection with the identified at least one occurrence, including;
      
      another firewall-related occurrence mitigation action that includes sending a firewall signal resulting in utilization of the firewall feature for dropping at least one packet in connection with the identified at least one occurrence, andanother intrusion detection or prevention system-related occurrence mitigation action that includes sending an intrusion detection or prevention system signal resulting in utilization of the intrusion detection or prevention system feature for quarantining the at least one device.
  - 3. The non-transitory computer-readable media of claim 2, wherein the instructions are configured such that the one or more options are displayed for pre-occurrence selection in connection with multiple of the plurality of devices, and the one or more additional options are displayed for post-occurrence selection in connection with a single one of the plurality of the devices subjected to the identified at least one occurrence.
  - 4. The non-transitory computer-readable media of claim 2, wherein the instructions, when executed by the one or more processors, cause the one or more processors to:
    - determine the identified at least one occurrence to have a first severity if it is determined that at least one actual vulnerability of at least one of the plurality of devices is susceptible to being taken advantage of by the identified at least one occurrence, and further determining the identified at least one occurrence to have a second severity if it is determined that the at least one actual vulnerability of the at least one of the plurality of devices is not susceptible to being taken advantage of by the identified at least one occurrence; and
      
      report the identified at least one occurrence differently based on whether the identified at least one occurrence is determined to have the first severity or the second severity, utilizing at least one user interface with which the one or more additional options are displayed.
  - 5. The non-transitory computer-readable media of claim 1, wherein the instructions are configured such that the one or more options include multiple options that are displayed via an intrusion prevention system interface of an intrusion prevention system that is supported by a single client agent that supports at least one aspect of the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the intrusion detection or prevention system update, at least one aspect of receiving the intrusion detection or prevention system update, and at least one aspect of preventing the actual vulnerability addressed by the intrusion detection or prevention system update from being taken advantage of.
  - 6. The non-transitory computer-readable media of claim 5, wherein the instructions are configured such that the single client agent further supports at least one aspect of the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the firewall update, at least one aspect of receiving the firewall update, and at least one aspect of preventing the actual vulnerability addressed by the firewall update from being taken advantage of.
  - 7. The non-transitory computer-readable media of claim 1, wherein the instructions are configured such that the one or more options are displayed with different identified actual vulnerabilities.
  - 8. The non-transitory computer-readable media of claim 1, wherein the instructions are configured such that the display of the one or more options includes displaying the second option corresponding to the intrusion detection or prevention system-related occurrence mitigation action based on identification of the actual vulnerability addressed by the intrusion detection or prevention system update, wherein the non-transitory computer-readable media is operable such that the first option is capable of being selected for a first actual vulnerability, the second option is capable of being selected for a second actual vulnerability, and both the first and second options are capable of being selected for a third actual vulnerability.
  - 9. The non-transitory computer-readable media of claim 1, wherein the instructions are configured such that the one or more options are displayed based on the first information by displaying the options only for the plurality of actual vulnerabilities.
  - 10. The non-transitory computer-readable media of claim 1, wherein the instructions are configured such that the one or more options is displayed via at least one user interface of an intrusion prevention system that includes integrated intrusion prevention functionality and firewall functionality that are both supported by a security component that in turn supports at least one aspect of the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the firewall update and the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the intrusion detection or prevention system update, and further includes logic that receives the first information and utilizes the first information to effect the display of the one or more options to selectively utilize the intrusion prevention functionality and the firewall functionality as a function of an existence of one or more actual vulnerabilities to reduce false positives in connection with both the intrusion prevention functionality and the firewall functionality.
  - 11. The non-transitory computer-readable media of claim 10, wherein the instructions are configured such that the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the firewall update is carried out by:
    - identifying at least one first occurrence packet;
      
      determining whether the actual vulnerability addressed by the firewall update is capable of being taken advantage of by identifying at least one aspect of the at least one first occurrence packet and utilizing the at least one aspect of the at least one first occurrence packet to determine whether the actual vulnerability addressed by the firewall update is capable of being taken advantage of; and
      
      wherein the non-transitory computer-readable media is further operable such that the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the intrusion detection or prevention system update is carried out by;
      
      identifying at least one second occurrence packet;
      
      determining whether the actual vulnerability addressed by the intrusion detection or prevention system update is capable of being taken advantage of by identifying at least one aspect of the at least one second occurrence packet and utilizing the at least one aspect of the at least one second occurrence packet to determine whether the actual vulnerability addressed by the intrusion detection or prevention system update is capable of being taken advantage of.
  - 12. The non-transitory computer-readable media of claim 1, wherein the instructions are configured such that the actual vulnerability addressed by the firewall update is prevented by filtering or blocking the same, and the actual vulnerability addressed by the intrusion detection or prevention system update is prevented by quarantining at least one device subject to the actual vulnerability addressed by the intrusion detection or prevention system update.
  - 13. The non-transitory computer-readable media of claim 1, wherein the instructions are configured such that at least one of the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the firewall update, or the identification of the occurrence capable of taking advantage of the actual vulnerability addressed by the intrusion detection or prevention system update, includes an operation utilizing a Common Vulnerabilities and Exposures (CVE) identifier.
  - 14. The non-transitory computer-readable media of claim 1, wherein the instructions are configured such that the different occurrence mitigation actions further include a patch update-related occurrence mitigation action that includes sending a patch update resulting in utilization of an update feature for removing an actual vulnerability addressed by the patch update.
  - 15. The non-transitory computer-readable media of claim 1, wherein at least one of:
    - said firewall update includes a firewall upgrade or a new firewall policy;
      
      said firewall update includes a firewall policy or a firewall setting;
      
      said firewall update is sent to a firewall or a component with firewall functionality;
      
      said firewall update is sent to a firewall or a component with firewall functionality for automatic installation therewith;
      
      said intrusion detection or prevention system update includes an intrusion detection or prevention system upgrade or a new intrusion detection or prevention system policy;
      
      said intrusion detection or prevention system update includes an intrusion detection or prevention system policy or an intrusion detection or prevention system setting;
      
      said intrusion detection or prevention system update is sent to an intrusion detection or prevention system or a component with intrusion detection or prevention system functionality;
      
      said intrusion detection or prevention system update is sent to an intrusion detection or prevention system or a component with intrusion detection or prevention system functionality for automatic installation therewith;
      
      said intrusion detection or prevention system-related occurrence mitigation action includes at least one of an intrusion detection system-related occurrence mitigation action or an intrusion prevention system-related occurrence mitigation action;
      
      said intrusion detection or prevention system update includes at least one of an intrusion detection system update or an intrusion prevention system update;
      
      said second information is received by at least one of;
      
      receiving at least one update from a data storage;
      
      pulling at least one update, or synchronizing with a data storage;
      
      said first information results from a vulnerability scan operation;
      
      said first information identifies the plurality of actual vulnerabilities;
      
      said first information includes at least one of a vulnerability identifier or information related to the plurality of actual vulnerabilities;
      
      said first information includes information related to the plurality of actual vulnerabilities including at least one of remediation information or vulnerability identifiers;
      
      said one or more options are displayed based on the first information, such that the one or more options are selected for display based on the first information;
      
      said one or more options are displayed based on the first information, such that the one or more options are conditionally displayed based on the first information;
      
      said firewall-related occurrence mitigation action includes at least one of removing the actual vulnerability addressed by the firewall update, or reducing an effect of the occurrence capable of taking advantage of the actual vulnerability addressed by the firewall update;
      
      said firewall-related occurrence mitigation action includes at least one of;
      
      an action that results in occurrence mitigation utilizing firewall functionality, or an action that results in occurrence mitigation utilizing a firewall;
      
      said intrusion detection or prevention system-related occurrence mitigation action includes at least one of;
      
      an action that results in occurrence mitigation utilizing intrusion detection or prevention system functionality, or an action that results in occurrence mitigation utilizing an intrusion detection or prevention system;
      
      one or more of said one or more options are capable of being selected before occurrence identification to selectively utilize the different occurrence mitigation actions in connection therewith;
      
      said display of the one or more options is based on the first information;
      
      said one or more options is displayed in connection with the first information;
      
      said different occurrence mitigation actions include different remediation actions;
      
      said occurrence includes at least one of a request, traffic, at least one packet, or a potential attack;
      
      said plurality of actual vulnerabilities include a subset of the plurality of potential vulnerabilities to which one or more of the plurality of devices is determined to be actually vulnerable based on at least one of the operating system or the application;
      
      said first information associated with the plurality of actual vulnerabilities being based on the second information associated with the plurality of potential vulnerabilities, at least in part as a result of a determination that one or more of a plurality of devices is actually vulnerable based on the second information and the operating system;
      
      said first information associated with the plurality of actual vulnerabilities being based on the second information associated with the plurality of potential vulnerabilities, at least in part as a result of a determination that one or more of a plurality of devices is actually vulnerable based on the second information and the application;
      
      said determination that one or more of a plurality of devices is actually vulnerable, is based on an automated process;
      
      said determination that one or more of a plurality of devices is actually vulnerable, is based on a vulnerability scan;
      
      said determination that one or more of a plurality of devices is actually vulnerable, is based on user input;
      
      said one or more options are displayed based on the first information by displaying the options only for the plurality of actual vulnerabilities, before the determining;
      
      said one or more options are displayed based on the first information by displaying the options only for the plurality of actual vulnerabilities, after the determining;
      
      orsaid non-transitory computer-readable media is embodied on a single non-transitory computer readable medium; and
      
      wherein the non-transitory computer-readable media is further operable for use with at least one NOC server, a data warehouse, and an SDK for allowing access to information associated with at least one vulnerability and at least one remediation, and wherein the non-transitory computer-readable media is operable for determining which devices have vulnerabilities by directly querying a firmware or operating system of the devices.

16. A system, comprising:
- an intrusion prevention system component including hardware circuitry capable of accessing at least one data structure identifying a plurality of mitigation techniques that mitigate effects of attacks that take advantage of vulnerabilities, such that;
  
  each mitigation technique is capable of mitigating an effect of an attack that takes advantage of a corresponding vulnerability,each mitigation technique has a mitigation type including at least one of a patch, a policy setting, or a configuration option,at least two of the mitigation techniques are capable of mitigating an effect of an attack that takes advantage of a first one of the vulnerabilities, andsaid at least two mitigation techniques configured for occurrence mitigation by preventing advantage being taken of actual vulnerabilities and include a first mitigation technique of a firewall-based occurrence mitigation type that utilizes a firewall action for at least mitigating the attack that takes advantage of the first one of the vulnerabilities and a second mitigation technique of an intrusion prevention system-based occurrence mitigation type that utilizes a real-time intrusion prevention action for at least mitigating the attack that takes advantage of the first one of the vulnerabilities;
  
  said intrusion prevention system component configured for;
  
  based on the first information, causing a display, via at least one display device, of one or more options for selection by a user to cause utilization of at least one of the at least two mitigation techniques;
  
  receiving a selection of at least one of the at least two mitigation techniques; and
  
  automatically applying the selected at least one of the at least two mitigation techniques utilizing a communication between a server and client code supporting the intrusion prevention system component;
  
  wherein the system is configured to;
  
  in the event that the selected at least one mitigation technique includes the first mitigation technique, automatically apply the first mitigation technique, by sending a first communication that results in at least mitigating the effect of the attack that takes advantage of the first one of the vulnerabilities in response thereto; and
  
  in the event that the selected at least one mitigation technique includes the second mitigation technique, automatically apply the second mitigation technique, by sending a second communication that results in at least mitigating the effect of the attack that takes advantage of the first one of the vulnerabilities in response thereto.
- View Dependent Claims (17)
- - 17. The system of claim 16, wherein the system is operable such that the first one of the vulnerabilities is identified as a function of at least one of an operating system or an application identified in connection with a device, so that, in order to avoid false positives, only relevant vulnerabilities prompt mitigation technique user selection among the at least two mitigation techniques.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecurityProfiling, LLC
Original Assignee
SecurityProfiling, LLC
Inventors
Oliphant, Brett M., Blignaut, John P.
Primary Examiner(s)
Abedin, Shanto

Application Number

US14/981,866
Publication Number

US 20160294861A1
Time in Patent Office

1,023 Days
Field of Search

726 11- 13, 726 22- 25
US Class Current
CPC Class Codes

G06F 16/245   Query processing

G06F 21/554   involving event detection a...

G06F 8/65   Updates security arrangemen...

H04L 63/02   for separating internal fro...

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Anti-vulnerability system, method, and computer program product

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

957 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Anti-vulnerability system, method, and computer program product

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

957 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links